Automata and Logics for Timed Message Sequence Charts

Automata and Logics for Timed Message Sequence Charts

S. Akshay^1,2, Benedikt Bollig¹, and Paul Gastin¹

1 LSV, ENS Cachan, CNRS, France

2 Institute of Mathematical Sciences, Chennai, India

Abstract. We provide a framework for distributed systems that impose tim- ing constraints on their executions. We propose a timed model of communicat- ing finite-state machines, which communicate by exchanging messages through channels and use event clocks to generate collections of timed message sequence charts (T-MSCs). As a specification language, we propose a monadic second- order logic equipped with timing predicates and interpreted over T-MSCs. We establish expressive equivalence of our automata and logic. Moreover, we prove that, for (existentially) bounded channels, emptiness and satisfiability are decid- able for our automata and logic.

1 Introduction

One of the most famous connections between automata theory and classical logic, es- tablished in the early sixties by B¨uchi and Elgot [7], is the equivalence of finite-state machines and monadic second-order logic (MSO) over words. This study of relations between logical formalisms and automata has had many generalizations including ex- tensions and abstractions of the definition of words themselves.

A natural extension, for instance, are timed words which are very important in the context of verification of safety critical timed systems. For this, we have automata mod- els such as timed automata [1] and event-clock automata (ECA) [2]. The latter have implicit clocks allowing them to record or predict time lapses. This is well-suited for real-time specifications (such as bounded response time) and allows for a suitable logi- cal characterization by a timed MSO over timed words as shown in [9].

On the other hand, in a distributed setting, we might have several agents interacting to generate a global behavior. This interaction can be specified using message sequence charts (MSCs) which generalize words and reflect the causality of events in a system execution. MSCs have been known for a long time independently, as they serve as documentation of design requirements that are referred throughout the design process and even in the final system integration and acceptance testing. MSCs are used for describing the behavior of communicating finite-state machines (CFMs) [6], which are a fundamental model for concurrent systems and communicating protocols. These CFMs have communicating channels between the constituent finite-state automata and a single MSC diagram subsumes a whole set of sequential runs of the CFM.

Our goal is to merge the timed and distributed approaches mentioned above. For this, we first consider timed MSCs (T-MSCs) which are just MSCs with time stamps at events (as in timed words). These are ideal to describe real-time system executions, keeping explicitly the causal relation between events. Next, we consider MSCs with timing constraints (TC-MSCs) where we associate lower and upper bounds on the time

interval between certain pairs of events. This is more suitable for a specifier and also useful to describe a (possibly infinite) family of T-MSCs in a finite way.

We introduce event clock communicating finite-state machines (EC-CFM) recog- nizing timed MSCs. These are CFMs equipped with implicit event clocks allowing us to record or predict time lapses as in the ECA. For the logical framework, we use a timed version of monadic second-order logic (TMSO) with additional timing predicates to specify necessary timing constraints. We interpret both EC-CFMs and TMSO over T-MSCs and prove a constructive equivalence between them, with and without bounds on channels. This is done by lifting the corresponding results from the untimed case [12, 11, 5] by using TC-MSCs, since they can be seen as MSCs whose labelings are extended by timing information and also as a representation of infinite sets of T-MSCs.

Further, we prove that, over “existentially bounded” channels, the emptiness check- ing of our automaton model and, thus, the satisfiability problem of our logic are de- cidable. Our approach consists of constructing a global finite timed automaton that can simulate the runs of the EC-CFM (which is a distributed machine) and so, reduce the problem to emptiness checking on a timed automaton. The hard part of the construction lies in “cleverly” maintaining the partial-order information (of the T-MSC) along the sequential runs of the global timed automaton, while using only finitely many clocks.

Related Work Past approaches to timing in MSCs with a formal semantics and analysis have been looked at in [3, 4, 8, 13]. While [3] and [4] only consider single MSCs or high-level MSCs, one of the first attempts to study channel automata in the timed set- ting goes back to Krcal and Yi [13], who provide local timed automata with the means to communicate via FIFO channels. They do not consider MSCs as a semantics of their automata but rather look at restricted channel architectures (e.g., one-channel systems) to transfer decidability of reachability problems from the untimed to the timed set- ting. A similar automaton model was independently introduced by Chandrasekaran and Mukund in [8], who even define its semantics in terms of timed MSCs. They propose a practical solution to a very specific matching problem using the tool UPPAAL.

Outline We define MSCs in Section 2, together with their timed extensions. Our logic and the automaton model are introduced in Section 3. We describe the equivalence results between our automata and logic over timed MSCs in Section 4. In Section 5, it is shown that emptiness of automata is decidable for existentially bounded channels.

2 Timed Message Sequence Charts

We fix a finite setAg of at least two agents or processes. The set of communication actions on processpisActp ={p!q |q∈Ag\ {p}} ∪ {p?q|q∈Ag\ {p}}, where p!qmeans that processpsends a message to processqandp?qmeans that processp receives a message from processq. Furthermore, we letAct =S

p∈AgActp.

AnAct-labeled partial order is a tripleM = (E,, λ)where(E,)is a finite partial order (elements from E are called events) andλ : E → Act is a labeling function. For e ∈ E,↓edenotes{e^′ ∈ E | e^′ e}. We define a message relation Msg^M ⊆E×E matching send events with their corresponding receives, assuming a FIFO architecture on the channels. That is,(e, e^′)∈Msg^M ifλ(e) =p!qandλ(e^′) = q?pfor somep, q∈Ag, and|↓e∩λ⁻¹(p!q)|=|↓e^′∩λ⁻¹(q?p)|.

A message sequence chart (MSC) is anAct-labeled partial orderM = (E,, λ) such that (i) for anyp∈ Ag, the restriction ofto processp(denotedp) is a total order, (ii) the partial orderis the transitive closure ofMsg^M ∪S

p∈Agp, and (iii) for any distinctp, q∈Ag, the number of send events is equal to the number of receive events, i.e,|λ⁻¹(p!q)|=|λ⁻¹(q?p)|.

p q r

e1

e^′1

e2

e^′2 e3

e^′3

Fig. 1. An MSC Fig. 1 depicts an MSC as a diagram. The events of each process

are arranged along the vertical lines and messages are shown as hor- izontal or downward-sloping directed edges. Note thatλ(e1) =p!q, λ(e2) = q?p,e1 p e^′₁,(e^′₂, e3) ∈ Msg^M ande1 e3. The lin- earizations of an MSC form a word language overActunderλ. E.g., (p!q)(q?p)(q!r)(p!r)(r?q)(r?p)is one linearization of the MSC in Fig. 1. An MSC is uniquely determined by one of its linearizations.

The first natural attempt while trying to add timing information to MSCs would be to add time stamps to the events of the MSCs. This is motivated from timed words where we have words with time stamps added at each action. This approach is quite realistic when we want to model the real-time execution of concurrent systems.

Definition 1. A timed MSC (T-MSC) is a tuple(E,, λ, t)where(E,, λ)is an MSC andt:E → R^≥0is a function such that ife1 e2thent(e1)≤t(e2). The set of all T-MSCs is denotedTMSC.

A timed linearization of a T-MSC is a possible execution in terms of a word from (Act×R^≥0)^∗, which thus respects both the causal order and the order imposed by the time stamping. A T-MSC is shown in 2(a). Note that it has several timed linearizations as the concurrent eventse4andf3occur at the same time. A possible timed linearization is(p!q,2)(q?p,2.1)(p!r,3)(r?p,3)(p!q,4)(q?p,4.5)(p!r,6)(q!r,6)(r?q,6)(r?p,7).

Now a family of T-MSCs with the same induced MSC can be specified by timing constraints on pairs of events of the MSC. This approach is better suited to a specifier who can then decide and enforce constraints between occurrences of events. As an example consider Fig. 2(b). The label (0,1]on message from e1 tof1 specifies the lower bound and upper bound on the delay of message delivery. The label[1,5]from f1toe^′₃represents the bounds on the delay betweenf1ande^′₃and so on.

The question here is how flexible do we want this timing to be, i.e, between which pairs of events do we allow constraints. For an MSCM = (E,, λ), one obvious set of pairs is given byMsg^Mwhich allows us to time messages. A more flexible approach is to allow timing between the next (or previous) event of any action and an event in the MSC. For this, we define the relationsNext^M_σ ,Prev^M_σ for everyσ∈Actas follows:

• Next^M_σ ={(e, e^′)|λ(e^′) =σ, e≺e^′, (e≺e^′′∧λ(e^′′) =σ) =⇒ e^′ e^′′}

• Prev^M_σ ={(e, e^′)|λ(e^′) =σ, e^′≺e, (e^′′≺e∧λ(e^′′) =σ) =⇒ e^′′e^′} E.g., in Fig. 2(b),(e2, e4)∈Next^M_p!r,(f1, e^′₃)∈Next^M_r?p, and(e4, e3)∈Prev^M_p!q. Note that these relations are in fact partial maps and hence one can also writef = Next^M_σ (e) for(e, f) ∈ Next^M_σ and similarly forPrev^M_σ . In factMsg^M can also been seen as a partial functionE99KEmapping a send event to its corresponding receive in the MSC M. Further, we remark that these relations can all be defined for a T-MSCT as well.

Since they depend only on the underlying partial order, we writeMsg^T,Next^T_σ, etc.

p q r e1,2

e2,3 e3,4

e4,6

f1,2.1

f2,4.5 f3,6

e^′1,3

e^′2,6 e^′3,7

p q r

e1

e2

e3

e4

f1

f2

f3

e^′1

e^′2

e^′3 (0,1]

[0,2]

[1,4]

[2,4]

[1,5]

(a) (b)

Fig. 2. A T-MSC and a TC-MSC

Let us denote the set of symbols{Msg} ∪ {Prev_σ |σ ∈ Act} ∪ {Next_σ |σ ∈ Act} byTC(for timing constraints). For an MSC (or T-MSC) M, we let TC^M = S

α∈TC(α^M) be our set of allowed timing pairs. This is flexible enough to specify what we need. It also generalizes the approach of D’Souza [9] in the timed words case.

Further, this is similar to the approach adopted by Alur et al. [3] to time MSCs and so we can use their analysis tool to check consistency of the timing constraints in an MSC.

To specify timing constraints we will use rational bounded intervals over the real line. These can be open or closed intervals but we require them to be nonempty and the bounds to be rational. The set of all such intervals is denoted byI.

Definition 2. An MSC with timing constraints (TC-MSC) is a tuple(E,, λ, τ)where M = (E,, λ)is an MSC andτ : TC^M 99K Iis a partial function. The TC-MSC is called maximally defined ifτis a total function.

With this definition, TC-MSCs can be considered as abstractions of T-MSCs and timed words. LetM = (E,, λ, τ)be a TC-MSC. A T-MSCT = (E,, λ, t)is a realization ofMif, for all(e, e^′)∈dom(τ), we have|t(e)−t(e^′)| ∈τ(e, e^′). Thus for instance, the T-MSC in Fig. 2(a) is a realization of the TC-MSC in Fig. 2(b).

3 Logic and Automata for Timed MSCs

Monadic Second-Order Logic We will define several monadic second-order logics as a means to describe sets of T-MSCs. Their syntax depends on a setRof (binary) relation symbols, which settles the access to the partial-order relation of an MSC or T-MSC. One example isR ={,Msg}containing symbols for the partial order and the message relation. The formal syntax of our logicTMSO(R)is given by:

ϕ::=P_σ(x)|x∈X|x=y|R(x, y)|δ(x, α(x))∈I| ¬ϕ|ϕ∨ϕ| ∃xϕ| ∃Xϕ whereσ∈Act,R∈ R,α∈TC,I ∈ I,x, yare individual (or first-order) variables, andX is a set (or second-order) variable (each from an infinite supply of variables).

LetT = (E,, λ, t)be a T-MSC and letIbe an interpretation that maps first-order variables to elements inE and second-order variables to subsets ofE. Let us define whenT,I|=ϕforϕ∈TMSO(R). As usual,Pσ(x)expresses thatxis labeled withσ, i.e.,λ(I(x)) =σ. The novelty is the timing predicateδ(x, α(x))∈Iby which we mean that the time difference betweenxandα^T(x)is contained inI, i.e.,T,I|=δ(x, α(x))∈ IifI(x)∈dom(α^T)and|t(I(x))−t(α^T(I(x)))| ∈I. For the setRof binary relation

symbols we will use R = {,Msg} or R≺· = {≺·p | p ∈ Ag} ∪ {Msg}. The interpretation of≺·pis the immediate successor relation on processp:≺·p:=≺p\ ≺p2. The interpretation ofMsgis indeed Msg^T. The rest of the semantics is classical for MSOlogics. For sentences ϕ in this logic, we defineLtime(ϕ) = {T ∈ TMSC | T |= ϕ}. The existential fragment of TMSO(R), which is denoted byETMSO(R), comprises all formulas∃X1. . .∃Xnϕsuch thatϕdoes not contain any set quantifier.

We will give TMSO formulas a natural semantics in terms of TC-MSCs, too. The only noteworthy difference is in the atomic predicateδ(x, α(x))∈ I. For a TC-MSC M = (E,, λ, τ), we define M,I |= δ(x, α(x)) ∈ I if τ(I(x), α^M(I(x))) ⊆ I, which implicitly impliesI(x) ∈dom(α^M)and(I(x), α^M(I(x)))∈dom(τ). The set of TC-MSCs that satisfy a TMSO sentenceϕis denoted byL_{T C}(ϕ). The following implication is easy to see. Its converse holds in a restricted case, as we will see later.

Lemma 3. Let a T-MSCT be a realization of some TC-MSCM and letϕbe a TMSO formula. Then,M ∈ L_TC(ϕ)impliesT ∈ L_time(ϕ).

Event-Clock Communicating Finite-State Machines (EC-CFMs) A natural model of communication protocols are communicating finite-state machines [6], which consist of finite-state machines with message channels between any pair of them. To introduce the timed model we attach recording and predicting clocks (as in [2]) to these machines.

Definition 4. An EC-CFM is a tupleA= (C,(Ap)_p∈Ag, F)whereCis a finite set of control messages,Ap= (Qp,→p, ιp)is a finite transition system overActp×[TC99K I]×C(i.e.,ιp∈Qpis the initial state and→pis a finite subset ofQp×Actp×[TC99K I]×C×Qp) with[TC 99K I]denoting the set of partial maps fromTCtoI, and F ⊆Q

p∈AgQpis a set of global final states.

The input of an EC-CFMAis a T-MSCT = (E,, λ, t). Consider a mapr:E→ S

p∈AgQp labeling each event of processpwith a state from Qp. Define r⁻ : E → S

p∈AgQpas follows: For eventein processp, if there is an evente^′in processpsuch thate^′≺·_p e, then we setr⁻(e) =r(e^′). Otherwise, we setr⁻(e) =ιp. Thenris said to be a run ofAonTif, for all(e, e^′)∈Msg^T withein processpande^′in processq, there are guardsg, g^′ ∈[TC99KI]and a control messagec∈Csuch that

(1) (r⁻(e), λ(e), g, c, r(e))∈ →_pand(r⁻(e^′), λ(e^′), g^′, c, r(e^′))∈ →_q,

(2) for allα∈dom(g), we havee∈dom(α^T)and|t(e)−t(α^T(e))| ∈g(α), and (3) for allα∈dom(g^′), we havee^′ ∈dom(α^T)and|t(e^′)−t(α^T(e^′))| ∈g^′(α).

Letrbe a run ofAonT. We definesp=r(ep), whereepis the maximal event in processp. If there are no events on processp, we sets_p=ι_p. Then runris successful if the tuple(s_p)_p∈Agbelongs toF. A T-MSC is accepted by an EC-CFMAif it admits a successful run. We denote byLtime(A)the set of T-MSCs that are accepted byA.

As in the logic, we can give EC-CFMs a semantics in terms of TC-MSCs as well.

For defining a run on TC-MSCM = (E,, λ, τ)we just replace condition (2) above by saying that, for allα∈dom(g), we must havee∈dom(α^M)andτ(e, α^M(e))⊆g(α).

We do the same for condition (3). Then, with the same notion of acceptance as above, we can denote the set of all TC-MSCs accepted by a given EC-CFMAasLT C(A).

Lemma 5. LetTbe a realization of some TC-MSCMand letAbe an EC-CFM. Then, M ∈ LTC(A)impliesT ∈ Ltime(A).

4 Equivalence of EC-CFMs and MSO Logic

In [5], the equivalence between EMSO formulas (with restricted signature) and CFMs over MSCs has been established. In [11], the equivalence between full MSO formulas and CFMs over MSCs has been described in the context of bounded channels. We will lift these theorems to the timed setting, using the concepts from the previous sections.

Theorem 6. LetLbe a set of T-MSCs. The following are equivalent:

1. There is an EC-CFMAsuch thatLtime(A) =L.

2. There isϕ∈ETMSO(R_≺·)such thatLtime(ϕ) =L.

The construction of an ETMSO formula from an EC-CFM follows the similar con- structions applied, for example, to finite and asynchronous automata. In addition, we have to cope with guards occurring on local transitions of the given EC-CFM. Assume thatg: TC99KIis such a guard. To ensure that the timing constraints that come along withgare satisfied we use the formulaV

α∈dom(g)δ(x, α(x))∈g(α).

The rest of this section is devoted to the construction of an EC-CFM from an ETMSO formula, whose size is elementary in the size of the formula. The basic idea is to reduce this to an analogous untimed result, which has also been applied in the settings of words and traces [9, 10]. For this, we establish a connection between TMSO and or- dinary MSO logic without timing predicate, and between EC-CFMs and their untimed variant. Usually, these untimed formalisms are parametrized by a finite alphabetΣto speak about structures whose labelings are provided byΣ. Hence, in our framework, we need to find a finite abstraction of the infinite set of possible time stamps. Applying this finite abstraction, we move from T-MSCs to TC-MSCs and establish the converse of Lemmas 3 and 5 in Lemmas 8 and 9, resp. This finally allows us to translate ETMSO formulas into EC-CFMs. We provide more details below.

First, we define proper interval sets. We call a set of intervalsS ⊆ Iproper if it forms a finite partition ofR^≥0. We say that an interval set refines another interval set if every interval of the latter is the union of some collection of intervals of the former. For any finite interval set, we can easily obtain a proper interval set refining it.

LetT = (E,, λ, t)be a T-MSC andSbe a proper interval set. We introduce the TC-MSCM_T^S := (E,, λ, τ)where, for any(e, e^′)∈ TC^T,τ(e, e^′)is defined to be the unique interval ofScontaining|t(e)−t(e^′)|.

Lemma 7. LetTbe a T-MSC and letSbe a proper interval set. Then,M_T^Sis the unique maximally defined TC-MSC that uses intervals fromSand admitsT as realization.

Given a TMSO formulaϕ, we let Int(ϕ)denote the finite set of intervals I for whichϕhas a sub-formula of the formδ(x, α(x))∈I. Similarly, for any EC-CFMA, we have a finite set, denotedInt(A), of intervals occurring inAas guards. Now look at any proper interval setS that refinesInt(ϕ). We can translate the TMSO formulaϕto another TMSO formulaϕ^S by replacing each sub-formula of the formδ(x, α(x))∈I by the formulaW

J∈S:J⊆Iδ(x, α(x))∈J. Using Lemma 7, we can show the following Lemmas, which then enable us to prove the reverse direction of Theorem 6.

Lemma 8. Given a T-MSC T, a TMSO formula ϕ, and a proper interval setS that refinesInt(ϕ), we haveT |=ϕiffM_T^S |=ϕiffM_T^S |=ϕ^S.

Lemma 9. LetAbe an EC-CFM and letSbe a proper interval set that refinesInt(A).

For a T-MSCT, we haveT ∈ Ltime(A)iffM_T^S ∈ LTC(A).

Proof (of Theorem 6, (2)→(1)). Observe that any TC-MSC can be viewed as an MSC with an additional labeling by removing the intervals from pairs of events and attaching them to the corresponding events. More precisely, a TC-MSCM = (E,, λ, τ)can be represented as an MSCM = (E,, λ, γ)with additional labelingγ:E →(TC99K I)describing the timing constraints, i.e.,γ(e)(α) =τ(e, α^M(e))ife∈dom(α^M)and (e, α^M(e))∈dom(τ); otherwise,γ(e)(α)is undefined. This view will allow us to ap- ply equivalences between logic and automata in the untimed case. So far, however, the additional labelingγis over an infinite alphabet, as there are infinitely many intervals that might act as constraints. So, for any proper interval setS, we defineTCMSC(S) as the set of TC-MSCs M = (E,, λ, τ)such that τ(e, e^′) ∈ S for any (e, e^′) ∈ dom(τ). Note that, ifM ∈ TCMSC(S)andI ∈ S thenM,I |=δ(x, α(x)) ∈ Iiff τ(I(x), α^M(I(x))) = I iffγ(I(x))(α) = I. Hence a timing predicate can be trans- formed into a labeling predicate: for anyϕ∈TMSOsuch thatInt(ϕ)⊆ S, there is an untimedMSOformulaϕsuch thatM,I|=ϕiffM ,I|=ϕfor allM ∈TCMSC(S).

In the following, we denote byL_u(ϕ)the set of MSCs with additional labelingγthat satisfy an untimed MSO sentenceϕ. We can build an untimedMSO(R_≺·)sentenceµ^S_≺·

such thatL_u(µ^S_≺·)is the set of maximally defined MSCsM = (E,, λ, γ)with addi- tional labelingγusing intervals fromS, i.e., for alle∈E, we haveα∈dom(γ(e))iff e∈dom(α^M)and in this caseγ(e)(α)∈ S.

Similarly, an EC-CFMAcan be interpreted over MSCs with the additional labeling γ by replacing conditions (2) and (3) of runs byγ(e) = gandγ(e^′) = g^′, resp. We denote byL_u(A)the untimed MSCs with additional labelingγthat are accepted byA.

Here, for a TC-MSCM ∈TCMSC(S)and an automatonAwith guards in[TC99K S], we haveM ∈ Lu(A)impliesM ∈ LTC(A). The converse does not hold in general.

Letϕ∈ETMSO(R_≺·)be the given formula and letSbe a proper interval set that refinesInt(ϕ). Consider the untimedMSO(R_≺·)-formulaψ=ϕ^S∧µ^S_≺·. By [5], there is an EC-CFMAwith guards from[TC 99K S]such thatLu(A) = Lu(ψ). We will show thatLtime(ϕ) =Ltime(A).

LetTbe a T-MSC. By Lemma 8 we haveT |=ϕiffM_T^S |=ϕ^S. SinceInt(ϕ^S)⊆ S andM_T^S ∈ TCMSC(S)we haveM_T^S |= ϕ^S iffM^S_T |=ϕ^S. Now,M_T^S is maximally defined, hence we obtainM^S_T |= µ^S_≺·. Therefore,T ∈ Ltime(ϕ)iffM^S_T ∈ Lu(ψ) = Lu(A). We have seen above that this implies M_T^S ∈ LTC(A). We show that here the converse holds, too. If M_T^S ∈ LTC(A)we can build a TC-MSC M^′ = (E, , λ, τ^′)such thatdom(τ^′)⊆dom(τ),τ^′(e, e^′) =τ(e, e^′)for all(e, e^′)∈dom(τ^′), and M^′ ∈ Lu(A). Now,Lu(A)⊆ Lu(µ^S_≺·)henceM^′is maximally defined and we obtain M^′ =M_T^S. To summarize, we have shown thatT ∈ Ltime(ϕ)iffM_T^S ∈ LTC(A), and we conclude with Lemma 9 that this is equivalent toT ∈ Ltime(A). ⊓⊔

To characterize EC-CFMs in terms of full TMSO, we need to define restrictions on the channel size. For an integerB > 0, a wordw ∈ Act^∗ isB-bounded if, for any p, q∈Ag and any prefixuofw, the number of occurrences ofp!qinuexceeds that of q?pby at mostB. An MSCM is said to be existentiallyB-bounded (∃-B-bounded) if

it has someB-bounded linearization. A T-MSC(E,, λ, t)is said to be untimed-∃-B- bounded if(E,, λ)is∃-B-bounded. Note that, directly lifting the definition of bounds from MSCs to T-MSCs is not completely intuitive: there are untimed-∃-1-bounded T- MSCs whose minimal channel capacity for a timed linearization exceeds 1.

Following the same lines as in the proof of Theorem 6 but using the equivalence result from [11], we can show the following theorem.

Theorem 10. LetB >0and letLbe a set of untimed-∃-B-bounded T-MSCs. There is an EC-CFMAwithLtime(A) =Liff there isϕ∈TMSO(R)withLtime(ϕ) =L.

Both directions are effective.

5 Deciding Emptiness of EC-CFMs

In this section, we investigate emptiness checking for EC-CFMs. While the problem is of course undecidable in its full generality, we give a partial solution to it.

Theorem 11. The following problem is decidable:

INPUT: An EC-CFMAand an integerB >0.

QUESTION: Is thereT ∈ Ltime(A)such thatThas aB-bounded timed linearization?

Here, a timed linearization ofT isB-bounded if the channel size never exceedsB during its execution.

We fix an EC-CFMA= (C,(Ap)_p∈Ag, F), withAp = (Qp,→p, ιp), andB > 0.

FromA, we build a (finite) timed automaton that accepts a timed wordw ∈ (Act× R^≥0)^∗iffwis aB-bounded timed linearization of some T-MSC inLtime(A). As empti- ness is decidable for finite timed automata [1], we have shown Theorem 11.

Let us first recall the basic notion of a timed automaton. For a setZof clocks, the setForm(Z)of clock formulas overZ is given by the grammarϕ ::= true| false | x∼c |x−y ∼c| ¬ϕ|ϕ1∧ϕ2 |ϕ1∨ϕ2wherex, y∈ Z,∼ ∈ {<,≤, >,≥,=}, andcranges overR^≥0.

A timed automaton (withε-transitions) overΣis a tupleB= (Q,Z, δ, ι, F)where Qis a set of states,Zis a set of clocks,ι∈Qis the initial state,F ⊆Qis the set of final states, andδ⊆Q×(Σ ·∪ {ε})×Form(Z)×2^Z×Qis the transition relation.

The definition of a run ofBand its languageL(B)⊆(Σ×R^≥0)^∗are as usual.

To keep track of the clock constraints used inA, we need to recover a partial order from a word. Firstly, the partial order of an MSC can be recovered from any of its linearizations. Ifwis a linearization of MSCM, thenM is isomorphic to the unique MSC(E,, λ)such thatE = {u ∈ Act^∗ | u 6= εandw = uvfor some v} (i.e., E is the set of nonempty prefixes ofw),λ(uσ) = σ for u ∈ Act^∗ andσ ∈ Act, andp = {(u, v) ∈ E×E | uis a prefix ofv andλ(u), λ(v) ∈ Actp}. Thus, we might consider the partial-order relation ofM to be a relation over prefixes of a given linearization ofM. We go further to describe deterministic finite automata (DFA) that actually run on words that are linearizations of an MSC and accept if the first and last letter of it are related under,Prev^M_σ , orNext^M_σ . More precisely, our finite automata will run on linearizations of MSCs with additional labelings in{0, . . . , B−1}. We say that such an MSC(E,, λ, ρ)(withρ :E → {0, . . . , B−1}) isB-well-stamped if, for anye∈E,ρ(e) =|↓e∩λ⁻¹(λ(e))| modB.

Lemma 12. There are DFAC^⊳ = (Q^⊳, δ^⊳, s^⊳₀, F^⊳) andC^⊲ = (Q^⊲, δ^⊲, s^⊲₀, F^⊲)over Act× {0, . . . , B−1}with|Q^⊳|=|Q^⊲|=B^O(|Ag|2)(forB ≥2) such that, for any w= (σ, m)w^′(τ, n)∈(Act× {0, . . . , B−1})^∗andu, v∈(Act× {0, . . . , B−1})^∗, the following holds: Ifuwvis a linearization of someB-well-stamped MSCM, then

• w∈L(C^⊳) iff (u(σ, m)w^′(τ, n), u(σ, m))∈Prev^M_σ and

• w∈L(C^⊲) iff (u(σ, m), u(σ, m)w^′(τ, n))∈Next^M_τ .

From now on, we supposeC^⊳ = (Q^⊳, δ^⊳, s^⊳₀, F^⊳)andC^⊲ = (Q^⊲, δ^⊲, s^⊲₀, F^⊲)from the above lemma to be fixed. We moreover suppose that the previous automatonC^⊳has a unique sink states^⊳_sink, from which there is no final state reachable anymore.

The Timed Automaton Let us describe a timed automatonB that simulates the EC- CFMA. To simplify the presentation, we allow infinitely many clocks and infinitely many states, though on any run only finitely many states and clocks will be seen. Later, we will modify this automaton in order to get down to finitely many states and clocks.

We useInd = Act ×Nas (an infinite) index set. A state of the timed automaton B= (QB,Z, δ, ι_B, FB)will be a tuplest = (s, χ, η, ξ^⊳, ξ^⊲, γ^⊲, γ^m)where

• s= (sp)p∈Ag ∈Q

p∈AgQpis a tuple of local states,

• χ:Ag²→C^≤Bdescribes the contents of the channels,

• η : Act → {0, . . . , B−1}gives the number that should be assigned to the next occurrence of an action,

• ξ^⊳: Ind99KQ^⊳andξ^⊲: Ind99KQ^⊲associate with “active” indices, states in the previous and next automata as given by Lemma 12,

• γ^⊲: Ind99KInt(A)associates next constraints with active indices, and

• γ^m:Ag²× {0, . . . , B−1}99KInt(A)describes the guards attached to messages.

The initial state isιB= ((ιp)p∈Ag, χ0, η0, ξ₀^⊳, ξ₀^⊲, γ₀^⊲, γ₀^m)whereχ0andη0map any argument to the empty word and0, resp., and the partial mapsξ^⊳₀,ξ₀^⊲,γ₀^⊲, andγ₀^mare nowhere defined. We will use clocks from the (infinite) setZ ={z^⊳_σ,i, z^⊲_σ,i |(σ, i) ∈ Ind} ∪ {z^m_p,q,i|(p, q, i)∈Ag²× {0, . . . , B−1}}.Then,δ⊆Q_B×Act×Form(Z)× 2^Z×Q_Bcontains((s, χ, η, ξ^⊳, ξ^⊲, γ^⊲, γ^m), τ, ϕ, R,(s^′, χ^′, η^′, ξ^′⊳, ξ^′⊲, γ^′⊲, γ^′m))if there is a local transition(sp, τ, g, c, s^′_p)∈ →pon processpsuch that

• s^′_r=s_rfor allr∈Ag\ {p}.

• ifτ =p!q, thenχ^′(p, q) =c·χ(p, q)andχ^′(r, s) =χ(r, s)for(r, s)6= (p, q).

• ifτ =p?q, thenχ(q, p) =χ^′(q, p)·candχ^′(r, s) =χ(r, s)for(r, s)6= (q, p).

• η^′(τ) = (η(τ) + 1) modBandη, η^′coincide on all other actions.

• The states of the previous automata are updated. We initialize a new copy starting on the current position in order to be able to determine which latter positions are related with the current one byPrev^T_τ. We also reset a corresponding new clockz_τ,i^⊳ (see below). Indeed, all existing copies ofC^⊳are updated except those that would reach thes^⊳_sinkstate which are released since they will not be needed anymore.

ξ^′⊳(σ, i) =











δ^⊳(s^⊳₀,(τ, η(τ))) ifσ=τ ∧ i= min(N\dom(ξ^⊳(σ))) δ^⊳(ξ^⊳(σ, i),(τ, η(τ))) if(σ, i)∈dom(ξ^⊳) ∧

δ^⊳(ξ^⊳(σ, i),(τ, η(τ)))6=s^⊳_sink

undefined otherwise,

• The states of the next automata are updated similarly, starting a new copy ofC^⊲for each actionσsuch that there is aNextσconstraint on the local transition. We also reset corresponding new clocksz_σ,i^⊲ (see below).

ξ^′⊲(σ, i) =











δ^⊲(s^⊲₀,(τ, η(τ))) ifNextσ∈dom(g) ∧ i= min(N\dom(ξ^⊲(σ))) δ^⊲(ξ^⊲(σ, i),(τ, η(τ))) if(σ, i)∈dom(ξ^⊲) ∧ (σ6=τ ∨

δ^⊲(ξ^⊲(σ, i),(τ, η(τ)))∈/ F^⊲)

undefined otherwise.

• The next guards are updated. Each guard generating a new copy ofC^⊲is recorded with the same new index. Guards that were registered before and are matched by the current action are released. All other recorded guards are kept unchanged.

γ^′⊲(σ, i) =







g(Nextσ) ifNextσ ∈dom(g) ∧ i= min(N\dom(ξ^⊲(σ))) undefined ifσ=τ ∧ ξ^′⊲(τ, i)∈F^⊲

γ^⊲(σ, i) otherwise.

• The guards attached to message constraints are updated similarly.

γ^′m(r, s, i) =







g(Msg) ifMsg∈dom(g) ∧ τ=r!s ∧ i=η(τ) undefined ifτ=s?r ∧ i=η(τ)

γ^m(r, s, i) otherwise.

• The guardϕmakes sure that all constraints that get matched at the current event are satisfied. E.g., if the local transition contains aPrevσconstraint, then we have to checkz^⊳_σ,i ∈g(Prevσ)for the (unique)isuch thatξ^′⊳(σ, i)∈F^⊳. If there is no suchithen there is noσin the past of the current event and thePrevσconstraint of the local transition cannot be satisfied. In this case, we setϕto false.

ϕ= ^

(σ,i)|Prevσ∈dom(g) andξ^′⊳(σ,i)∈F^⊳

z_σ,i^⊳ ∈g(Prevσ) ∧ ^

σ|Prevσ∈dom(g) and{i|ξ^′⊳(σ,i)∈F^⊳}=∅

false

∧ ^

i∈dom(γ^⊲(τ))| ξ^′⊲(τ,i)∈F^⊲

z_τ,i^⊲ ∈γ^⊲(τ, i) ∧ ^

(q,p,i)∈dom(γ^m)| τ=p?q, η(τ)=i

z^m_q,p,i∈γ^m(q, p, i)

• All newly defined clocks have to be reset, so we set R to be the union of sets {z_τ,i^⊳ | i = min(N\dom(ξ^⊳(τ)))},{z_p,q,i^m |τ =p!qandi =η(τ)}, and{z_σ,i^⊲ | Nextσ∈dom(g)andi= min(N\dom(ξ^⊲(σ)))}.

Finally, the set of accepting statesF_Bconsists of all tuples(s, χ, η, ξ^⊳, ξ^⊲, γ^⊲, γ^m) inQ_Bsuch thats∈F,χ=χ0, and the partial mapsγ^⊲andγ^mare nowhere defined.

This ensures that each registered guard has been checked. Indeed, a constraint registered inγ^⊲orγ^mis released only when it is checked with the guardϕ.

One critical observation here is that, once we have specified the local transition of A, this global transition of Bgets determined uniquely. Thus, this step is always deterministic. Note that the above automatonBhas noε-transitions either.

Theorem 13. Baccepts precisely theB-bounded timed linearizations ofLtime(A).

A Finite Version ofB To get down to a finite timed automaton that is equivalent toB, we have to bound the number of copies of the automataC^⊳andC^⊲that are active along a run. We can show that the number of active copies ofC^⊳is already bounded:

Proposition 14. Assume that(s, χ, η, ξ^⊳, ξ^⊲, γ^⊲, γ^m)is a reachable state ofB. Then, dom(ξ^⊳)⊆Act× {0, . . . ,|Q^⊳|}.

We deduce that, for the previous constraints, we can restrict to the finite index set Ind^⊳=Act× {0, . . . ,|Q^⊳|}: in a reachable state,ξ^⊳is a partial map fromInd^⊳toQ^⊳. This also implies thatBuses finitely many previous clocks from{z_σ,i^⊳ |(σ, i)∈Ind^⊳}.

The remaining source of infinity comes from next constraints. The situation is not as easy as for previous constraints. The problem is that the number of registeredNextσ

constraints,|dom(γ^⊲)|, may be unbounded. Assume that(σ, i),(σ, j)∈ dom(γ^⊲)for somei6=j. Then, also(σ, i),(σ, j)∈dom(ξ^⊲)and the clocksz_σ,i^⊲ andz^⊲_σ,jhave been reset. If we haveξ^⊲(σ, i) =ξ^⊲(σ, j)then the constraints associated withiandjwill be matched simultaneously. When matched, the guard on the transition ofBwill include bothz_σ,i^⊲ ∈γ^⊲(σ, i)andz_σ,j^⊲ ∈γ^⊲(σ, j). The idea is to keep the stronger constraint and to release the other one. To determine the stronger constraint we have to deal separately with the upper parts and the lower parts of the constraints. An additional difficulty comes from the fact that the two clocks have not been reset simultaneously.

Letx ∼candx^′ ∼^′ c^′ be two upper-guards which means that∼,∼^′ ∈ {<,≤}.

We say that x ∼ c is stronger thanx^′ ∼^′ c^′ if, when evaluated at the same instant, x∼cholds impliesx^′ ∼^′ c^′holds as well. The stronger constraint can be determined with a diagonal guard:x∼cis stronger thanx^′ ∼^′ c^′if eitherx^′−x < c^′−cor else x^′−x≤c^′−cand (∼=<or∼^′ =≤). The relation stronger than is transitive and total among upper-guards. We can define similarly stronger than for lower-guards, i.e, when∼,∼^′ ∈ {>,≥}. We havex∼cstronger thanx^′ ∼^′ c^′ if eitherx^′−x > c^′−c or elsex^′−x≥c^′−cand (∼=>or∼^′=≥).

Now, we get back to our problem and show how to changeB so that the size of dom(ξ^⊲)in a statest = (s, χ, η, ξ^⊳, ξ^⊲, γ^⊲, γ^m)can be bounded by|Act| ·(2|Q^⊲|+ 1).

Note thatdom(γ^⊲) = dom(ξ^⊲). A transition ofBmay initiate at most|Act|new copies ofC^⊲(one for eachσ∈Actsuch thatNextσ ∈dom(g). Hence, we say that statestis safe if for allσ∈Actwe have|dom(ξ^⊲(σ))| ≤2|Q^⊲|. The transitions ofBare kept in the new automatonB^′only when they start in a safe state.

Ifstis not safe, then|{i|ξ^⊲(σ, i) =q}|>2for someσ∈Actandq∈Q^⊲. In this case, we say thatstis unsafe for(σ, q)and letActive(σ, q) ={i|ξ^⊲(σ, i) =q}.

IfActive(σ, q) 6= ∅, letiu ∈ Active(σ, q)be such that the upper-guard defined byz^⊲_σ,iu ∈ γ^⊲(σ, iu)is stronger than all upper-guards defined byz_σ,j^⊲ ∈ γ^⊲(σ, j)for j∈Active(σ, q). Further, letiℓ∈Active(σ, q)be defined similarly for lower-guards.

From the definition of the relation stronger than we know that all constraintsz_σ,j^⊲ ∈ γ^⊲(σ, j)forj∈Active(σ, q)are subsumed by the conjunction ofz_σ,i^⊲ _ℓ ∈γ^⊲(σ, iℓ)and z_σ,i^⊲ _u ∈γ^⊲(σ, iu). Therefore, we can release all next constraints associated with(σ, j) withj ∈Active(σ, q)\ {iℓ, iu}.

To do this, we add to B^′ an ε-transition (st, ϕ(σ, q, iℓ, iu), ε,∅,st^′). The guard should evaluate to trueifiℓ andiu determine stronger lower- and upper-constraints among those defined byActive(σ, q). Since the relation stronger than can be expressed

with diagonal constraints, we haveϕ(σ, q, iℓ, iu) ∈ Form(Z). We have that, in state st^′= (s, χ, η, ξ^⊳, ξ^′⊲, γ^′⊲, γ^m), only the next information is changed:

γ^′⊲(τ, i) =

(undefined ifτ =σandi∈Active(σ, q)\ {i_ℓ, iu} γ^⊲(τ, i) otherwise

ξ^′⊲(τ, i) =

(undefined ifτ =σandi∈Active(σ, q)\ {i_ℓ, iu} ξ^⊲(τ, i) otherwise.

Then,{i|ξ^′⊲(σ, i) =q}={i_ℓ, iu}andst^′is safe for(σ, q).

We deduce that in the automatonB^′, we can restrict to the finite index setInd^⊲ = Act× {0, . . . ,2|Q^⊲|}for the partial mapsξ^⊲andγ^⊲used for the next constraints. Con- sequently,B^′uses finitely many next clocks from{z_σ,i^⊲ |(σ, i)∈Ind^⊲}. The following proves Theorem 11, from which we deduce a decidability result for our logic.

Theorem 15. The timed automatonB^′is finite. It hasB^O(|Ag|2)many clocks (forB≥ 2), and we haveL(B^′) =L(B).

Corollary 16. The following problem is decidable:

INPUT:ϕ∈TMSO(R)and an integerB >0.

QUESTION: Is thereT ∈ Ltime(ϕ)such thatThas aB-bounded timed linearization?

Acknowledgment We thank Martin Leucker for motivating discussions.

References

1. R. Alur and D. L. Dill. A theory of timed automata. TCS, 126(2):183–235, 1994.

2. R. Alur, L. Fix, and T. A. Henzinger. Event-clock automata: A determinizable class of timed automata. TCS, 211(1-2):253–273, 1999.

3. R. Alur, G. Holzmann, and D. Peled. An analyser for message sequence charts. In TACAS 1996, pages 35–48, 1996.

4. H. Ben-Abdallah and S. Leue. Timing constraints in message sequence chart specifications.

In Proc. of FORTE 1997, pages 91–106, 1997.

5. B. Bollig and M. Leucker. Message-passing automata are expressively equivalent to EMSO logic. TCS, 358(2-3):150–172, 2006.

6. D. Brand and P. Zafiropulo. On communicating finite-state machines. Journal of the ACM, 30(2), 1983.

7. J. B¨uchi. Weak second order logic and finite automata. Z. Math. Logik, Grundlag. Math., 5:66–62, 1960.

8. P. Chandrasekaran and M. Mukund. Matching scenarios with timing constraints. In FOR- MATS 2006, pages 91–106, 2006.

9. D. D’Souza. A logical characterisation of event clock automata. International Journal of Foundations of Computer Science, 14(4):625–640, 2003.

10. D. D’Souza and P. S. Thiagarajan. Product interval automata: A subclass of timed automata.

In FSTTCS 1999, pages 60–71. Springer-Verlag, 1999.

11. B. Genest, D. Kuske, and A. Muscholl. A Kleene theorem and model checking algorithms for existentially bounded communicating automata. IC, 204(6):920–956, 2006.

12. J. G. Henriksen, M. Mukund, K. N. Kumar, M. Sohoni, and P. S. Thiagarajan. A theory of regular MSC languages. IC, 202(1):1–38, 2005.

13. P. Krcal and W. Yi. Communicating timed automata: The more synchronous, the more diffi- cult to verify. In CAV 2006, volume 4144 of LNCS, pages 243–257. Springer, 2006.